Michael Sparks wrote:
>> Anything where user input is executed as code is a security hole and
>> should never be opened to untrusted users.
>> foo = raw_input(...)
> x = eval(foo)
>> Is an exception, in almost[*] every scenario I can think of. (and is the
> context eval was being used as far as I can see without reading the whole
> thread)
>> Why? Because if they can type on the keyboard of a machine that's running
> raw_input they have the ability to do far more damage that way than any
> other. (ability to use a real sledgehammer on the machine springs to mind
> :-)
Hmm...could be a remote connection such as ssh, which precludes the
sledgehammer though probably not the sort of mischief you can get into
with eval()...perhaps there are untrusted remote connections where
eval() would still be a significant risk, I don't know...
Kent